![[Image: Sauron-Locker-2024.webp]](https://blackhattool.com/wp-content/uploads/2025/07/Sauron-Locker-2024.webp)
What is Sauron Locker 2024?Sauron Locker is a Ransomware-as-a-Service (RaaS) strain first identified in 2024. It encrypts files on infected systems and demands payment (usually in cryptocurrency) for decryption.
Key Characteristics:
- Double Extortion Model (encrypts files + steals data for leverage)
- Targets Businesses & Critical Infrastructure (high-impact attacks)
- Written in Rust or Go (for cross-platform compatibility & evasion)
- Uses AES-256 + RSA-2048 hybrid encryption
- Targets specific file extensions (documents, databases, backups)
- Deleted Volume Shadow Copies (prevents system recovery)
- Steals sensitive data before encryption
- Threatens to leak data on dark web if ransom isn’t paid
- Process Injection (hides in legitimate processes like explorer.exe)
- Anti-VM/Sandbox Checks (detects virtualized environments)
- Delayed Execution (bypasses automated threat detection)
- Drops README_SAURON.txt or HOW_TO_DECRYPT.html
- Victims directed to a Tor-based payment portal
- Ranges from
- 10,000to
- 10,000to1M+ depending on target